AKA - ROB WRITES POWERSHELL!!
Yesterday I posted a way to dump hashes using a Domain Controller account. But how do you know which account to use? And when was it's password last set? net user unfortunately won't do computer accounts.
So I decided to write a PowerShell script to find out. Unfortunately Windows 7 doesn't come with the ActiveDirectory PowerShell module (I'm sure there is another way to do this but here is how I did it.
Installed the Remote Server Administration Tools - http://blogs.msdn.com/b/rkramesh/archive/2012/01/17/how-to-add-active-directory-module-in-powershell-in-windows-7.aspx (Not stealthy)
Then I was able to use the follow janky script I wrote to find all of the PasswordLastSet values for all of the Domain Controllers
Import-Module ActiveDirectory
$dclist = Get-ADDomainController -Filter { isGlobalCatalog -eq $true } | Select-Object Name
Foreach ($dc in $dclist)
{
$lastset = Get-ADComputer $dc.Name -property PasswordLastSet
Write-Host "$($dc.Name) - $($lastset.PasswordLastSet)"
}
This would probably be an awesome recon / situational awareness module for Empire ( https://github.com/PowerShellEmpire/Empire ) but written better hopefully.
Output is pretty simple, it looks like this:
DC1 - 09/15/2015 07:05:40
Now I know that I have about 29 days left of valid use of that hash.
Posts
0 comments:
Post a Comment